Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 11 replies
  • Subscribers 5 subscribers
  • Views 15293 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Need advice for home version deployment

JoeChurch

Hi everyone,

I'm new to the Sophos UTM product but LOVE what I'm seeing in the home version I'm rolling out at my house.  FYI - I'm using it in a virtualized environment on VMWare on a host with 4 gigabit Ethernet ports.  I have a fiber optic internet link at 100Mbps synchronous and can get a direct Ethernet hand-off on the WAN interface. There are a couple of challenges I'm facing and i'd like to get some general advice from some of you who may have easy answers or can at least point me in the direction.  

What I'm trying to accomplish is to replace my hardware ISP router with the virtual UTM appliance.  I want it to handle all of my web traffic monitoring/filtering, network management (DNS, DHCP, etc) and also allow me to take advantage of a bunch of other features that I have not previously been able to setup at home before using other solutions.  My primary challenge is the cabling in the house, the ISP wiring is in a closet which is a location I can't physically locate my VMWare host server.  The way rooms in the house are wired, each room has one CAT5 cable running back to the closet where the ISP router is, patched down in a block that I had to install because previously the wiring was all a mess and piece meal individual cables.  

Currently I have the VMWare host in an office, connected to a switch.  The switch up-link is that single Ethernet wire back to the patch panel which ultimately hooks into a switch where the ISP router is connected.  I'm trying to find a way to get a dedicated CAT5 cable to a dedicated Ethernet port on my VMWare host to use in a private ISP virtual switch which I can then present to the UTM appliance for internet/gateway traffic to/from the Internet.  

So far I've been able to get around the cabling issues by setting up my ISP router with a DMZ host and routing all incoming ports to the LAN IP of my VMWare host internal network IP.  This does technically work, I'm seeing traffic stats and devices, DNS, DHCP and most of the other services are working as expected.  This is not ideal nor a good practice but it was a quick way that I could evaluate the features of UTM 9 and see if it would be a good solution for what I wanted to do with my home network.  

In the way things are currently configured I'm also having a number of other functional issues.  One of which is a speed problem, which is unusual since I have such a fast internet link.  Accessing resources inside my home network remotely through TeamViewer, RDP or other services is extremely slow, pretty much unusable.  To make a long story short - given the above information, I'm hoping some of you guys can give me some pointers on how to best deploy the UTM.  

Is there a secure way to to configure external traffic in on the internal/trusted network?  Will that affect firewall rule definitions since I can't use network based filtering variables anymore?  I fumbled my way through the firewall and NAT rules to get some external ports forwarded correctly to internal hosts, which is working!  But I want to make this a safe and secure solution and also need to fix the speed issues.  I'd also love to get rid of the ISP router, since I don't really need it and could let UTM handle all the routing and network management.  

Any tips or suggestions are greatly appreciated!



This thread was automatically locked due to age.
Parents
  • 0

    I have a similar setup to yours where my ISP router provides the "connection" to my internet and I have placed all LAN ports from that router in the DMZ. This means that using my PPPoE login credentials, my UTM gets an external IP address and I don't have to deal with double NAT.

    I'm assuming that you can achieve your full 100Mbps up and down speeds when you are testing from within your network, is that correct?

    Unknown said:

    Is there a secure way to to configure external traffic in on the internal/trusted network?

    Can you explain what you mean by that? Are you hoping to poke a hole in your firewall to allow external traffic into your network for things like RDP (port 3389)? If so, there is only one way to safely do this and that is by ensuring the connection is encrypted and secure. You can do this via the Remote Access section of your UTM and setting up a VPN. You would then establish a VPN connection to your UTM and with the correct rules in place would give you access to your internal network resources. The other option is to use the UTM's built-in HTML5 user portal. Similar approach in that there is a secure connection established to your UTM first and then you use a web browser to connect to your internal server for RDP purposes.

    The only VPN you should be considering is L2TP/IPSec or SSL. and the like. PPTP is not secure for remote access.

    As for getting rid of your router, the UTM does not have the necessary "parts" to establish a PPPoE connection so you'll still need something between your UTM and ISP ONT terminal to establish that handshake (see this article for an explanation). If you are using your fiber connection for IPTV as well then you may be stuck with your current configuration without significant work to figure out if your ISP uses VLANs and what they are in order to replicate these to use with a different router. For me, it wasn't worth the effort so I kept it in DMZ mode and I'm good to go.

  • 0 in reply to NashBrydges

    Lucky for me that my ISP is pure fiber with an Ethernet hand-off that does not require PPPoE.  Unfortunately I don't think I can find a way to get a direct network cable between my ONT and the UTM.  So I was up late last night tinkering and got something else worked out.  I have created a separate virtual Switch in VMWare and used a different Ethernet port on my host server, then setup a totally different /24 IP network between that vSwitch and the ISP router.  The router is now in DMZ mode and that seems to be working well enough.  

    I am satisfied with this setup enough not to bother putting too much effort into figuring out another option.  Maybe one day I will have the ability to do this up "right" if I move and can get better wiring or walls I can actually run cable through.  In any case, now I have a few new issues, but first let me explain the UTM setup as it stands now...

    There is my LAN link on eth0 in UTM that runs DNS, DHCP and all of my internal services.  Then I have eth1 setup as the Internet DMS between the UTM and the ISP router.  Eth2 is my heartbeat network for HA between my two UTM VM's.  At this point I have internet access, web filtering, some firewall rules, a few NAT rules and for the most part its working.  My problem now is that for some weird reason some of my firewall rules seem to work and others do not.  For example, my internal to external allow rules work fine overall but a few things are not working like Plex (port 32400) and my son's clash of clans game (port 9339).  I have allow rules setup for that in and out but its not working.  Plex won't initiate external access on its port via the DNAT entry, and clash of clans won't load the game at all.  

    Pretty much everything else seems to be okay, its just a few little quirks like the above two items that I need to figure out.  Any ideas on that?  I basically have an (Internal - ANY - ANY) rule setup so the firewall shouldn't be blocking any ports internally or headed outbound.  The game doesn't require any port forwarding, just an allow entry in the firewall which I have - but no joy.  Plex does require a DNAT rule which I have in place but also no joy.  Just so weird...

  • 0 in reply to JoeChurch

    In order to get Plex available to the internet, you'll have to create a DNAT rule. Here is what it looks like for mine...

    The "NASH-SERVER" that you see in the "Action" section is the Host Definition that I created for my Plex server. Requests coming from the internet will be coming from whichever port from the external user but will be looking for a destination port on your LAN of 32400 so make sure you also have that Service Definition setup. This is all I needed to make Plex available to the WAN. I suspect that you'll also need this for your son's Clash of Clans (I had to do the same for my son's Minecraft server so he and his friends could access it).

    By the way if you are going to make it available to the internet you may also want to setup WAF for the Plex server.

  • 0 in reply to NashBrydges

    Okay I tried my DNAT rule like you have it, but that didn't work for me either.  Something else is going on with my configuration I think, I just realized something interesting. Clients outside my VSwitch on the server can browse the internet through the UTM just fine without a proxy.  Clients on the internal VSwitch network (VM's) cannot get to the internet without a proxy specified.  Before I started to tinker with the web filtering options I was able to use the UTM like any other network based router.  But now it seems the proxy settings are causing an issue.  

    This isn't as intuitive as I had hoped.  I just want to get my UTM acting like a router, doing transparent web filtering in the background while allowing a couple of custom port forwarders coming in from the internet to my specific internal hosts running various services like plex.  Do you have any clue where I might have gone wrong?  

  • 0 in reply to NashBrydges

    I also just realized that I can't ping anything on the internet through any of the servers or clients either as a VM or physical clients outside the VMWare server.  So I've definitely got some weird issues going on.  I'm sure its something simple or a misconfiguration somewhere, I just don't know whats wrong.  I've triple checked everything and all the settings look okay to me.  Flipping off all the web filtering and advanced network protection options don't seem to fix anything either.  

  • 0 in reply to JoeChurch

    Can you have a look at your UTM WAN interface (Interfaces & Routing -> Interfaces)? Does it show your internet IP?

  • 0 in reply to JoeChurch

    Okay, smacking head on this one.  I went through every setting again, and re-read the details about the masquerade rules.  I noticed I didn't have one, so I added a rule based on my network and what do you know, I can now ping, plex works, and so does clash of clans.  oops on my part!  Thanks so much for all the tolerating of my questions and willingness to help out!  I think I'm in the clear now.  

Reply
  • 0 in reply to JoeChurch

    Okay, smacking head on this one.  I went through every setting again, and re-read the details about the masquerade rules.  I noticed I didn't have one, so I added a rule based on my network and what do you know, I can now ping, plex works, and so does clash of clans.  oops on my part!  Thanks so much for all the tolerating of my questions and willingness to help out!  I think I'm in the clear now.  

Children